Virus Name: Tremor
V Status: Common (particularly in Germany)
Discovered: March, 1993
Symptoms: .COM & .EXE growth; decrease in total system and available
free memory; minor shaking of system display; message
Eff Length: 4,000 Bytes
Type Code: PRhEK - Parasitic Resident COMMAND.COM & .EXE Infector
Detection Method: F-Prot, IBMAV, ViruScan, NAV, AVTK, Sweep,
NAVDX, VAlert, PCScan, ChAV,
Sweep/N, NAV/N, AVTK/N, Innoc, IBMAV/N, NShld, LProt
Removal Instructions: Delete infected files
The Tremor virus was received in March, 1993, and is from Germany.
Tremor is a memory resident infector of COMMAND.COM and .EXE files.
It is an "anti anti-virus virus", containing some checks to avoid
detection by anti-viral software.
When the first Tremor infected program is executed, the Tremor virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, hooking interrupts 15 and 21. If,
however, upper memory or extended memory is available, the virus
will install most of its code in that memory instead, with a hook
to it in memory below 640K. Total system and available free memory,
as indicated by the DOS CHKDSK program, will have decreased by 4,288
bytes. Also at this time, the virus will infect the copy of
COMMAND.COM pointed to by the COMSPEC variable.
Once memory resident, the Tremor virus will infect .EXE programs
when they are executed, adding 4,000 bytes to the file's length.
The file length increase will be hidden when Tremor is resident.
The virus will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear to
be altered, but will actually have had 100 added to the years field
in the file date. This is the infection marker for the virus.
Tremor is an encrypted virus, and no text strings are visible within
the viral code in infected programs.
Systems infected with the Tremor virus will experience a sluggish
system response to commands and program execution. File allocation
errors will be detected by the CHKDSK program when the virus is
memory resident, but not when Tremor is not in memory. After Tremor
has been present on the system for over three months, a slight
shaking effect of the contents of the system display may occur
accompanied by a system hang. The virus may also occassionally
clear the system display and display the following message on the
"-=> T.R.E.M.O.R was done by NEUROBASHER
/ May-June '92, Germany <=-
After a few seconds, the system will then return to "normal".
The Tremor virus is a full stealth virus, disinfecting programs as
they are read into memory. As a result, anti-viral programs which
are executed to check file checksums/CRCs, or for the presence of
the virus in files without first verifying it isn't in memory, will
not find the virus in files. It also checks for the presence of
some anti-viral monitoring programs in memory. Additionally, Tremor
is polymorphic, and an algorithmic approach must be used for